Jump to content

Info about mysql_real_escape_string() needed, what does it do, how to use it ?

floridaflatlander

By floridaflatlander
in PHP Coding Help

 Share

Recommended Posts

floridaflatlander Regular Member

floridaflatlander

Posted
Posted

I was checking my inputs and found out my mysql_real_escape_string() wasn't working and how little I new about mysql_real_escape_string().

 

Is mysql_real_escape_string() just suppose to add slashes ex from this ( ' ) to this  ( \' ) ?

 

or is it suppose to be more disruptive?

 

Also what format should it be in ?

 

When I have this, everything goes to my database and when I add ''Or''='' I can mess up stuff in my form display

// 
$discrip = ($_POST ['discrip']);
    	$discrip = mysqli_real_escape_string($db, trim($discrip));

 

When I have this It seems to work but takes everything out not leaving \'\'OR\'\'==\'\'

So if I put 1 <img src="images/bass_031611.jpg" /> 2 <?php ?> 3 '' OR ''=''  into my UPDATE all of it gets taken out

$discrip = ($_POST ['discrip']);
    	 mysqli_real_escape_string($db, trim($discrip));

 

Most books I have give the example of:    $discrip = mysqli_real_escape_string($db, trim($discrip)); Not mysqli_real_escape_string($db, trim($discrip));

 

I have php 5.3 on xampp

 

Thanks in advance

S

Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

This code does nothing useful:

$discrip = ($_POST ['discrip']);
mysqli_real_escape_string($db, trim($discrip));

 

The result of the function must be reassigned to be usable.

$discrip = ($_POST ['discrip']);
$discrip = mysqli_real_escape_string($db, trim($discrip));

floridaflatlander Regular Member

floridaflatlander

Posted
  • Author
Posted

Thanks for the reply.

 

True mysqli_real_escape_string($db, trim($discrip)); does nothing while $discrip = mysqli_real_escape_string($db, trim($discrip)); lets info be entered.

 

Is mysql_real_escape_string() just suppose to add slashes ex from this ( ' ) to this  ( \' ) ?

 

or is it suppose to be more disruptive?

 

 

What does mysqli_real_escape_string() do ?

I've been using UPDATE and mysqli_real_escape_string() to edit records with <img src="images/10_bass_031611-2_2242.jpg" /> <?php echo 'me'; ?> '' OR ''=''  \n and all of it seems to go in my database just like I enter it.

 

Thanks

jcbones Newbie

jcbones

Posted
Posted

It tells the database to escape the data, then drop the slashes when it enters the text.  This will leave the text in the database, just like it was entered, all the while slightly protecting you from injection attacks.

 

For instance try inserting this string into your database with and without the mysqli_real_escape_string().

 

' OR '

 

You will find vast differences in the actions of the database.

 

Note, in an edit situation, this will simple input the string into the database with the function.  Without the function will trigger an error, that will allow for someone to further manipulate you database, because they now have a table name and a column names (if your errors are sent to the page output).

floridaflatlander Regular Member

floridaflatlander

Posted
  • Author
Posted

Thanks for the reply

 

I must be doing something wrong because I don't see any difference in the database at all.. If is use ' OR ' or <img src="images/10_bass_031611-2_2242.jpg" /> <?php echo 'me'; ?> '' OR ''=''  \n

 

People will be entering text in this area of a table so strip_tags would get rid of photos and stuff like that. But does that still leave stuff like sql injection problems when I don't see any difference in stuff like ''OR''='' and ' OR '

 

Thanks

Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

The slashes don't actually get inserted in the database. They only serve to indicate that the character that follows is a to be interpreted as a string literal, rather than a control character. mysql_real_escape_string <--- manual page.

floridaflatlander Regular Member

floridaflatlander

Posted
  • Author
Posted

Yes I saw that and to me

 

From php.net: mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

 

Means that \n should be \\n and ' should be \' in my database.

 

Anyway as long as it works.

 

Thanks to everyone

Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

Yes, PHP prepends a backslash. If you echo the escaped value, you'll see the backslash. When the query is passed to the db, MySQL uses that backslash as an indicator, and doesn't insert it in the DB.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.